LoFP / legitimate use of mmc.exe accessing apds.dll may occur during routine system management or troubleshooting. verify with approved administrative activities to reduce false alerts.

Techniques

• T1059.007
• T1218.014

Sample rules

Windows GrimResource - MMC Process Accessing APDS DLL

• source: splunk
• technicques:
  • T1059.007
  • T1218.014

Description

GrimResource is a code execution technique discovered by Elastic Security in 2024 that abuses a stored XSS vulnerability in apds.dll to achieve arbitrary code execution inside mmc.exe, a signed, trusted Windows binary. The attack is delivered via a malicious .msc file (MMC Saved Console file). When the victim opens the .msc file, MMC processes an embedded transformNode operation that triggers the XSS in apds.dll, which is then leveraged to execute attacker-controlled script within the MMC process context.

Detection logic

`wineventlog_security`
AccessList="%%4416"
EventID="4663"
ObjectName="*:\\Windows\\System32\\apds.dll"
ProcessName="*:\\Windows\\System32\\mmc.exe"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer AccessList EventID ObjectName ProcessName


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_grimresource___mmc_process_accessing_apds_dll_filter`